3 steps to set corporate risk appetite

Ok, the title is obviously irony. If you have seen any of my posts you will know how sceptical I am of this management fad called risk appetite. I am actually old enough to remember when consultants started pushing this concept pretending it was both new and useful. Anyway, since the concept is unlikely to disappear any time soon, we might as well use it for our advantage.

You may have seen the new COSO guidance on Understanding and Communicating Risk Appetite by Dr. Larry Rittenberg and Frank Martens. This article is not about that COSO document, which is absolute rubbish. If you want, you can watch my almost page by page review below:


This article is about practical application in non-financial companies.

But first, important caveat. Risk appetite statements in any shape of form are moronic. If you are hoping to learn how to write one in this article you probably shouldn’t be working in risk. No organisation should ever have a risk appetite statement.  

10% of the time risk appetite is imposed by laws and regulations, not set

Despite what consultants are telling us, a lot of the time risk appetite is imposed, not set by management. Think of risk appetite as a dog’s leash or boundaries that regulators, stakeholders and government set on the companies.

Examples include zero-tolerances or limits on safety, bribery and corruption, AML, pollution, sanctions, privacy, etc, etc. None of these have to be documented in a risk appetite statement, because there are already existing Board level policies covering this.

Does the risk manager need to do anything here? Probably not.

10% of the time risk appetite is the gentlemen’s agreement between Board and management

Boards have an important oversight role and help them set the direction and boundaries for management decision making. Those management decision making boundaries is risk appetite.

Examples include deal approvals only by Board above a certain limit, limits on holding percentage of cash in certain pre-approved banks, rules on credit limits for certain types of customers, limits on investments in different countries, etc, etc.

Does the risk manager need to do anything here? Probably not. Maybe review how management is tracking against those limits. I once had an interesting case study where the risk manager showed that management was actually not taking enough risk based on the appetite set by the Board. The management ended up significantly changing the investment strategy taking on more risk while still staying below the limit.

80% of the time risk appetite is the risk reward trade-off

This one is my favourite, because the consultants and organisations like COSO are clueless about this most important and useful application.

The two applications above have been around for decades, long before some consultants (it was most likely Oliver Wyman) came up with the name “risk appetite”, and there is not much for the risk managers to do that compliance officers or management hasn’t done anyway. This application on the other hand is very powerful and something risk managers can stuck their teeth into.

The key is making uncertainty around decision making transparent to allow decision makers choose the alternative which offers the most appropriate risk reward balance according to their individual appetites.

One of the common applications can be showing alternative decisions against the efficient frontier (example below)…


…or running simulations to calculate the probability of favourable outcomes (example below) or show target using probabilistic ranges…

MIRR 4 v16 no events

… or show how different alternatives have very different risk profiles (example below)

How to overlay density plots in R? - Stack Overflow

I had an interesting case study on the above many years ago. The first simulation my team has ran showed the probability of success for a given strategy was less than 0,1%. The management immediately said this was not something they were willing to take to the shareholders. So they ended up adjusting their assumptions, changing the strategy, resetting priorities and resource allocation. The new strategy had 70% of success and the management felt comfortable that this was within their risk appetite.

The bad news of course is that to write a risk appetite statement a risk manager doesn’t need any real competencies, anyone could do it. To run simulations and calculate efficient frontier risk managers need strong quants.

Learn more at the upcoming online RAW2020 https://2020.riskawarenessweek.com/

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.